Univention Bugzilla – Bug 35562
UMC module AD Connection should check Administrator account
Last modified: 2015-01-29 11:42:55 CET
Currently a user of the UMC module AD-Connection can enter any account in the join dialog. The UMC module should check that the standard Administrator account is used for this (which also exists in UCS OpenLDAP before the join). Otherwise the join of univention-samba will fail later on. +++ This bug was initially created as a clone of Bug #34091 +++
Note that it's required to use the localized spelling of the account, as it is found in Active Directory (e.g. "Administrateur" in french AD). The AD and UCS accounts are matched via their Well Known RIDs (and the english spelling in UCS get's replaced by the localized version during the join process). This matching process is only performed for Well Known Accounts.
Advisory: 2014-12-09-univention-ad-connector.yaml
The tests still fail: python-univention-lib 4.0.5-7.291.201412091559 Starting univention-s4-connector daemon. Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/main.py", line 41, in <module> import univention.s4connector File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 53, in <module> univention.admin.modules.update() File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 92, in update os.path.walk(dir, _walk, p) File "/usr/lib/python2.7/posixpath.py", line 246, in walk walk(name, func, arg) File "/usr/lib/python2.7/posixpath.py", line 238, in walk func(arg, top, names) File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 76, in _walk m=__import__(mod, globals(), locals(), name) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 52, in <module> import univention.lib.admember File "/usr/lib/pymodules/python2.7/univention/lib/admember.py", line 57, in <module> import dns.resolver File "/usr/share/pyshared/univention/s4connector/s4/dns.py", line 36, in <module> import univention.s4connector.s4 File "/usr/lib/pymodules/python2.7/univention/s4connector/s4/__init__.py", line 720, in <module> class s4(univention.s4connector.ucs): AttributeError: 'module' object has no attribute 's4connector' failed.
Uh, nasty side effect. I added a workaround to fix this.
YAML: OK, some small adjustments (r57401) It works now like expected. I could rename the Administrator user and the join was possible. If I try to join as a Non-Domain Admin user, I get the following message (in German): " Ein Fehler ist aufgetreten: Die Anfrage konnte nicht ausgeführt werden. Fehlernachricht des Servers: Das angegebene Konto ist nicht Mitglied der Gruppe Domain Admins in AD. " At least the last sentence should be adjusted, for example: Der angegebene Benutzer ist kein Mitglied der Gruppe Domain Admins im Active Directory. Dies ist eine Voraussetzung für den Active Directory Domänenbeitritt.
Ok, message adjusted, Advisory updated.
Message during module installation looks good.
<http://errata.univention.de/ucs/4.0/55.html>
<http://errata.univention.de/ucs/4.0/56.html>